Learn Linux, 302 (Mixed environments): File services

Learn how to create and configure file shares in a mixed
environment

In preparation for taking the Linux Professional Institute Certification
exam LPI-302 for systems administrators,
learn how to configure Samba and structure your configuration file.
Also, learn how Samba interacts with the network, how
to configure logging, and how to debug problems with Samba.

See our developerWorks roadmap for LPIC-3 for a description of and
link to each article in this series. The roadmap is in progress and
reflects the current objectives (November 2010) for the
LPIC-3 exams. As each article is completed, it is added to the
roadmap.

In this article, learn to:

Create and configure file sharing

Plan a file service migration

Hide the administrative share, IPC$

Create scripts for user and group handling of file shares

Use command-line tools relating to file shares

This article helps you prepare for Objective 312.2 in Topic 312 of the
Linux Professional Institute's Mixed Environment Specialty exam (302). The
objective has a weight of 4.

Prerequisites

To get the most from the articles in this series, you should have an
advanced knowledge of Linux and a working Linux system on which you can
practice the commands covered in this article. In addition, you should
have access to a Windows environment that you can use to test file and
print access.

Creating file shares

Recall from the previous article that Samba understands any section inside
smb.conf other than homes,
printers, and global
to be a share name. Besides the name of the share, mapping the share name
to a location on disk is the other important piece of information. Here is
the simplest useful share:

[tmpdir]
path = /var/tmp

About the elective LPI-302
exam

Linux Professional Institute Certification (LPIC) is like many other
certifications in that different levels are offered, with each level
requiring more knowledge and experience than the previous one. The
LPI-302 exam is an elective specialty exam in the third level of the
LPIC hierarchy and requires an advanced level of Linux system
administration knowledge.

To get your LPIC level 3 (LPIC-3) certification, you must pass the two
first-level exams (101 and 102), the two second-level exams (201 and
202), and the LPIC-3 core exam (301). After you have achieved this
level, you can take the elective specialty exams, such as LPI-302.

This code defines a share called tmpdir that maps to /var/tmp on
the Samba server. For example, if the server were named phoenix,
then users would be able to access that file share with the Universal
Naming Convention (UNC) path \\phoenix\tmpdir. This sparse configuration
is not useful, however: The default setting for a share is to be
read-only, so the share above would not be writable.

Using security parameters

Samba has many security-related parameters that control what can be
accessed by whom and from where. Many of these parameters affect the
interaction between Samba and the underlying UNIX file permissions and are
not discussed in this article. However, a few more general parameters are
discussed here.

Server Message Block (SMB) servers, including native Microsoft
implementations, have a share called IPC$, which is the
interprocess communication share and is used to execute software functions
over a network. A share ending in a dollar sign
($) is considered hidden and not shown in
Microsoft clients, even thought the server will advertise the existence of
the share.

Samba creates the IPC$ share even though it may not exist in smb.conf. If
you create the share, you can control access to it. Here is an example of
a restricted IPC$ share:

[IPC$]
hosts allow = 192.168.1.0/255.255.255.0
browsable = no

Build your own feed

You can build a custom RSS, Atom, or HTML feed so you will be notified
as we add new articles or update content. Go to developerWork RSS feeds. Select Linux for
the zone and Articles for the type, and type
Linux Professional Institute for the
keywords. Then, choose your preferred feed type.

This snippet defines the IPC$ share and marks it as only accessible to
people on the 192.168.1.0 network. The example further turns off the
Browsable feature, which tells Samba that the share should not be shown
when clients ask for it.

Some time ago, it was common practice to hide sensitive shares such as IPC$
in hopes that an attacker might ignore the target. This is silly with
regard to the IPC$ share. For example, asking a server for a list of
shares relies on connecting to the IPC$ share. If you look at Samba debugs
and packet traces, you will see that this Browsable option has no effect.
The reason I even bring it up is because it is mentioned in the exam
outline. It is far better to restrict the hosts that can connect than it
is to try and hide the IPC$ share.

A user can connect to a share without a user name, which makes that user a
guest. By default, a share does not allow guest users, but
you can enable this account with guest ok = yes
at the share level. The default guest user is nobody, but you can
change this user with the global guest account
parameter.

Symbolic links are used extensively on UNIX systems to link two areas of a
file system. For example, in your home directory, you can create a
symbolic link to the system-wide temporary directory and use it as if it
were part of your home directory. Samba follows these symbolic links,
which could let people access areas outside of the file share. If you
don't want this to happen, use
follow symlinks = no in your share.

If you want to restrict the users who can access a share, use the
valid users parameter. For example,
valid users = sean, jon, isaac allows only
those three users to access the share on which that parameter is used. You
can use this parameter in addition to file-level permissions as an extra
level of safety for sensitive shares.

Home shares

It is common to give users a home directory for their personal files. Each
user in the UNIX password file has a home directory assigned. You can
easily export any number of home directories through Samba without having
to type a separate configuration section by using the
[homes] section. When someone requests a share
called joe, Samba looks for a configured share called
joe; if Samba doesn't find that share, it looks for a user by
the same name. If the user is found, Samba then uses the configuration in
the [homes] section as a template for this
share.

Listing 1. A template for user home shares

Assigns a comment, which is shown to people looking at the details of
available file shares on that server

Marks the share as writable so that users can make changes to their
home directory

Indicates that the share can be seen when users browses for a list of
shares; they will see both homes and a share with their user name

Limits the users who can connect to this share to the user who owns
the share

Note the use of the %S macro in Listing 1: This
macro expands to the name of the share. Because the user name is the same
as the share, the valid users restriction
enforces that only the owner of the share can use it.

Now, whenever users look for a list of shares, they will see their home
directory and be able to connect to it. The share will be mapped to their
UNIX home directory.

Another interesting thing about the homes share is that if you connect to
\\server\homes directly, you will get your own share, just as if you had
connected to \\server\username. This is an extra feature the Samba team
put in place to help people on shared machines and reduce confusion.

Scripts to add users and
groups

If you look to a Microsoft domain for your user list, it's possible that a
user connecting to your server might not have a local UNIX account. One
way around this issue is to have Samba create the user for you when the
user connects with the add user script
parameter. The %u macro expands to the user in
question. You can use a system tool like
useradd or write your own scripts.

A similar parameter exists for
groups—add group
script—which
you use when you use Microsoft tools to manage the Samba instance. Also
helpful if you use these tools are
add user to group and the similar
delete scripts. The smb.conf man page has a
complete list of scriptable tasks.

Having a daemon create users on demand is not always the best idea. You may
be better served by using winbind or a
Lightweight Directory Access Protocol (LDAP)-based authentication
mechanism so that Samba and Linux can share a common user database.

Dealing with mixed case

The case of a file or directory name does not matter in the Microsoft
realm. That is, FILE, file, and FiLe all refer to the
same file. In Linux, however, case is important, so those three files
would all be different. Samba needs to know how to map between these two
worlds to resolve any conflicts. This case-mapping process is part of a
larger process called name mangling.

A few parameters affect mangling of file name case. The most important
parameter is case sensitive, which can be
yes, no, or
auto. If
case sensitive is enabled, Samba uses whatever
case the client requests. If this setting is disabled, Samba looks through
the directory for a case-insensitive match.

One problem with case sensitivity is that set incorrectly, you might not be
able to access some files. Consider a directory with two files—one
called test and the other called TEST. If Samba doesn't
use case-sensitive access, then it is unable to differentiate between the
two files.

The default for this setting is auto, which
looks for a client extension field to indicate that the client supports
case-sensitive access. Windows clients do not support this functionality,
so they will not use case sensitivity.

The default case and
preserve case parameters work with each other.
If preserve case is set to
yes, then whatever the client sets is used. If
preserve case is set to
no, then the value of
default case is used to determine the case of
the newly created file.

Enabling Usershare

Users can create their own shares without having to modify smb.conf by
using a feature called Usershare. After the administrator enables
the Usershare feature, regular users use a command-line tool to export
directories of their choosing. Users can also delete their shares when
they are done.

The first step to using Usershare is to enable the feature at the global
level. Listing 2 shows a part of smb.conf that enables Usershare.

Listing 2. Enabling Usershare

Listing 2 operates in the [global] section.
First, the usershare path defines a directory
that Samba uses for the configuration related to the user share. There are
several restrictions on this directory that will be explained later. Next,
a limit on the number of user shares is imposed. The last two parameters
show how to restrict the directories that can be shared.
usershare prefix allow list restricts all the
shares to the given directories—in this case, the shares must come
from under /home. usershare prefix deny list
takes the opposite approach and allows anything except the given
directories.

Samba imposes two other restrictions on user shares. First, the
usershare path must be writable by the user
creating the share, and the directory must have the sticky bit set
(1000 or +t).
Second, the user must own the directory being shared unless
usershare owner only is set to
false.

The first restriction regarding file permissions means that care must be
taken when creating the usershare path. If you
want to restrict user shares to people in the usershare group, then a
series of commands like these are required:

The first command creates the directory and any required parent
directories. The next command sets the user and group ownership of the
directory to root and usershares, respectively. The final command sets the
owner and group permissions of the directory to Read/Write/Execute, denies
access to everyone else, and sets the sticky bit. Thus, only root and
members of the usershares group can use this directory; by virtue of the
sticky bit, only the owner of a file can delete the file.

Setting up the share is perhaps the most difficult part of the exercise. A
user can run:

net usershare add docs /home/me/Documents/ "My docs" Everyone:F

The above command exports /home/me/Documents as a share called
docs with Full Control for everyone. Other commands allowed
are:

Command-line tools

Samba comes with several command-line tools. Through the
libsmbclient that Samba provides, other people
have made SMB/Common Internet File System (CIFS) utilities that are in
common use.

One striking difference between UNIX and Windows is that UNIX has one big
file system, where Windows has a series of drive letters. The
smbclient utility lets you browse a remote
Windows share in an File Transfer Protocol (FTP)-like interface, but to be
transparent to applications, a remote Windows share should be mountable
like any other file system.

Samba comes with a utility called smbmount,
which is sometimes repackaged as mount.cifs. You can call this command
directly or through the mount command. Listing
3 shows a Linux system mounting a remote CIFS share onto the regular file
system.

Listing 3. Mounting a remote CIFS share

The first command mounts a CIFS file system on the given UNC path and
places it on /mnt. Other than the UNC path, this looks like a standard
mount invocation. Options are passed with the
-o option. The only option needed here is the
user name. The mount.cifs man page outlines all the other options, which
can include a password and a domain. If you don't specify a password, you
will be prompted for one. Finally, the mount
command shows the mounted file system.

Another command is smbsh. Instead of mounting a
file system through standard UNIX means, smbsh
intercepts library calls for file requests and, if necessary, redirects
the request to a CIFS share. Most systems do not ship with this command
anymore, because it is not as reliable as mounting a file system.

Migrating file shares

When you move file services from one server to another, users may forget to
access the new server. Samba allows you to have your server respond to
another name. For example, if you move file shares from a server called
phoenix to a server called fs2, you can have fs2
respond to requests for phoenix. You will, of course, have to make sure
that phoenix doesn't respond, either by turning it off or renaming it.

To add an alias to a server, use the
netbios aliases global parameter. If you want
to change the name of a Samba server to something other than the UNIX name
of the server, use the netbios name parameter.

The commands you have learned so far about mounting file systems will also
be helpful in copying files from one server to another in preparation for
a migration. You may also wish to use UNIX utilities like
rsync to help out.

Get products and technologies

Evaluate
IBM products in the way that suits you best: Download a product
trial, try a product online, use a product in a cloud environment, or
spend a few hours in the SOA Sandbox learning how to implement Service Oriented
Architecture efficiently.

Discuss

Get involved in the My developerWorks
community. Connect with other developerWorks users while exploring
the developer-driven blogs, forums, groups, and wikis.

The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.